Most Webmasters love Mybb for the plugin system it has, the low server resources it use and it is very secure free forum software. However, there are still ways that your forums could be hacked. Forums are most commonly hacked because of lack of information about enhancing the security on the part of the administrator, rather than the actual software.

Here are some ways to Improve the Security of Mybb Forums

Rename Admin Directory

If hacker don’t know which directory is admin directory and what he has to hack, then simply he won’t be able to hack. Rename your admin directory to anything in your server. To do this, enter your web host’s control panel and go to the File Manager. Alternatively, you can use an FTP program like FileZilla. Find the directory called ‘admin‘, and simply rename it to something else (it is suggested to rename it to something cryptic, like Nt=P+Mn).

Then, find the config.php file in the ‘inc‘ directory. Look for the following code:

/**
* Admin CP directory
* For security reasons, it is recommended you
* rename your Admin CP directory. You then need
* to adjust the value below to point to the
* new directory.
*/
$config['admin_dir'] = 'admin';

And write there the name of admin directory replacing the word ‘admin’. e.g in this case ‘Nt=P+Mn’

Password Protect Your Admin Directory

This is one of the most important step in increasing the security of mybb forum. Enter cpanel find Password Protected Directories, enter and find the newly named admin directory, it will ask a new name for admin directory, write the new name you chose earlier, tick and enter. Then Go Back and now below the above field set the username and password for this directory.

Now, it meand when ever you will go to http://www.yoursite.com/admin and in in this case http://www.yoursite.com/Nt=P+Mn it will ask for username and password before you can actually be asked for your administartor username and password before it will allow you to go inside. So, its like double protection.

Deny External Access to the Config File

This is an .htaccess method that will give anybody who tries to access the config file a 403 error. Your MyBB Forums will still be able to run normally, however. This will protect it from external access only.

# Protect the config.php file
<files config.php>
Order deny,allow
deny from all
</files>

After creating this .htaccess file in your ‘inc’ directory change permissions for config.php file also to 600 from 644.

.htaccess Protect Your Admin Directory

If you have a static IP address or more than one which you know and are sure that when you go online, you only have those IP addresses, then use this another trick below to only allow poeple from IP addresses to enter admin directory which you will set in .htaccess, otherwise it won’t allow anybody even you to go inside if your IP address don’t match what is listed in .htaccess file inside ‘admin’ directory.

To do this, create a .htaccess file in your admin directory. Add the following code:

If you have multiple IP addresses or administrators, use the following code instead:

ErrorDocument 403 http://www.yoursite.com
Order deny,allow
Deny from all
Allow from 123.45.67.899
Allow from 998.76.54.321

HERE are some more Points to consider to increase your MyBB Forums Security

Your passwords should be cryptic and thus stronger, contain uppercase and lowercase letters, numbers, and symbols. It should also be at least 16 characters, maybe more. In fact, according to Blogussion, a simple ten character password can take up to 580 million years to decode! Now isn’t that the kind of protection you would want?

Update as soon as possible – New versions are posted for a reason. While they do fix a lot of bugs, a bunch of times they patch up an important security exploit. Especially now that this exploit is announced to the public, why would you want to keep your forum vulnerable? MyBB has a nifty way of reminding you within your ACP when new updates are available.When I say update, I also mean plugins. Plugins can serve as a little back door to a huge mansion called MyBB. If you keep this door unlocked, anybody can walk right in.

Change your password often – You won’t know if somebody finds out your password until its too late. The best thing to do is to change it constantly, and to use different passwords for different services.

Remove the Version Numbers – To disable version numbers, go to ‘General Configuration’ under ‘Board Settings’ in your Admin CP. Find ‘Show Version Numbers’ and set it to ‘Off’.

Don’t just upload every plugin under the sun – Many php files from various plugins which were not a part of the original MyBB software can contradict with each other and can cause a loophole in security. Specifically if they are not from the MyBB Mod’s site (MyBB does a security screening of all plugins submitted). Anybody can upload a plugin to the Internet, and plugins are an easy way to create a backdoor into your forum or infect it with malicious code.

Make sure only necessary files have writable permissions – Even though your Admin CP says that you should have your config.php file CHMOD 777, I really don’t see why… This is a very stupid thing to do, and can risk your entire board.

Make and download backups regularly – MyBB already has a feature in it’s task manager that already makes backups for you. All you need to do is download them to your computer. I personally create backups in cpanel and then download the whole backup and then all files in file folders ( to download all files in file folders click select all and then compress and name it anything but the name must not be already there for a file or folder, then it will create a zip file for all files on your file folder and then download it ). I download backup of whole forum every week. So even if I get hacked I can reupload my forum and get it back online and make necessary changes, so it can’t be hacked again.

Don’t share passwords – Even if it is the other administartor on your forum.